NetYCE Documentation
Design
Build
Operate
Admin
FAQ
User guides
Reference
Downloads
Release notes
Setup
NetYCE accounts
NetYCE Documentation
Design
Build
Operate
Admin
FAQ
User guides
Reference
Downloads
Release notes
Setup
NetYCE accounts
This installation guide installs NetYCE version 7.x on a Redhat 7 or Centos 7 physical or virtual x86_64 platform.
References to EL or RHEL refer to RedHat Enterprise Linux or CentOS Linux. All OS versions and packages are required to use the x86_64 architecture, that is x86 processors running 64-bit. The installation applies to both physical and virtual platform deployments.
The choice of operating system (Redhat or CentOS), disk filesystem layout, installed packages, and security hardening are mostly defined by the customers common practice. NetYCE does have some requirements on disk-usage and directory-trees that may warrant filesystem allocations, and we do rely on a specific functional user, yce that requires some sudo permissions.
A basic set of packages should be installed which will later be amended by specific NetYCE software. The basic OS installation can easily be realized by the customer, but we recommend the NetYCE software installation and configuration to be a joint effort.
During the first install of the NetYCE software packages, the configuration preferences and details of the NetYCE system and its architecture will be defined and initialized. Subsequent software upgrades and patches can be installed by the application manager using the NetYCE front-end without requiring system privileges. Only on some major upgrades will those be required.
The NetYCE software installation consists of two self-installing packages, YCE and YCEperl, a sample database and a license file. The installation depends on MariaDB (mysql server), apache (http server), fping and some standard distribution packages (openssl, tftp, ftp, ssh, telnet, gtar, etc). Mysecureshell is a non standard distribution package we use for sftp jail functionality.
The hardware requirements of NetYCE are moderate by itself although much depends on the intended level of use and the application architecture selected.
In general we suggest to deploy two NetYCE servers in different data centers attached to Network Management (NMS) networks. These systems will provide both front-end (user and network facing) functions AND a database function. These functions can be configured to provide live failover and backup services by means of master-master replication. The front-end functions support 10-20 simultaneous users and can execute several thousand config changes per hour.
For such deployments a physical or virtual x86 server needs to have at least two CPU cores and 4 GB of memory, but 4 cores and 8 GB memory is recommended.
Disk space can be local or SAN based and should not exceed 50 GB. This disk space is allotted to a single filesystem or split across several, depending on system management preferences.
The NetYCE directory structure uses several trees for various functions. Assigning the mysql, shared and working/logs trees individual filesystems is recommended.
/ - 3 to 6 GB (OS root, bin, usr, lib, opt, etc) /opt/yce - 200 MB /opt/nms - 200 MB /opt/ycelib - 600 MB /var/opt/yce - 3 to 6 GB (logs and working data) /var/opt/shared - 6 to 12 GB (tftp, os-files) /var/opt/mysql - 4 to 8 GB (mysql data)
verify SELinux is not active:
$ cat /etc/selinux/config
⇒ preferred SELINUX=disabled
⇒ workable SELINUX=permissive
In case it's set to enforcing, edit /etc/selinux/config
change SELINUX=enforcing to SELINUX=disabled and reboot the VM otherwise it doesnt take effect.
Make sure to have a hostname set, and check the output of the commands below
hostnamectl set-hostname rhel7.netyce.org
[[email protected] ~]# uname -i x86_64
verify ip settings:
$ hostname
⇒ hostname (pref not fqdn)
$ hostname --domain
⇒ domain name
$ hostname --ip-address
⇒ one (1) ip-address of the local interface
correct using 'setup'
correct in /etc/hosts
verify dns is configured:
- update /etc/resolv.conf
is needed
- test using nslookup
of a device (in case of installing on a minimal installation, you'll need to install bind-utils first using yum)
- check search path and domain
verify openssl is installed:
$ openssl
⇒ must start, then type 'quit'
verify rpm is functional:
- e.g. # rpm -v
verify a valid RedHat (or Centos) release is present.
$ cat /etc/redhat-release
⇒ Supported RHEL7 release is 7.6
To update a release to the latest RHEL7,
connect the server to the internet and use the command (as root):
# yum update
When completed, reboot and verify using:
$ cat /etc/redhat-release
Note: During the install or updates, yum might (re-)enable 'firewalld'!
If your system's firewalld is not configured, the default setting will only allow SSH connections and block all others, including httpd, mysql, yce_xch, yce_sched, etc.
To disable 'firewalld':
systemctl stop firewalld systemctl disable firewalld
Set timezone
/etc/sysconfig/clock – add UTC=yes for Hypervisors that do not set the hwclock to UTC time
ZONE="Europe/Amsterdam" UTC="yes"
/etc/sysconfig/ntpdate – set option to keep hw-clock in sync after ntpdate adjustment
SYNC_HWCLOCK=yes
add the following lines to /etc/environment
LANG=en_US.utf-8 LC_ALL=en_US.utf-8
Some customer linux sytems have a filesystem setup where most applications subtrees
have their own volume. The sizes need to be adjusted to match the required size.
Use the command:
# lvextend -L <size> -r <fs-device>
On the filesystems below.
Check with the df -h
command the actual device name
mountpoint size device /opt/nms /opt/yce /opt/ycelib 2G /dev/mapper/vg.appl-lv.optycelib /var/opt/yce 2G /dev/mapper/vg.appl-lv.varoptyce /var/opt/mysql 5G /dev/mapper/vg.appl-lv.varoptmysql /var/opt/shared 5G /dev/mapper/vg.appl-lv.varoptshared
Typical systems are setup with separate filesystems for:
/opt 10G /var/opt/mysql 5G /var/opt/shared 5G
Make sure to have the following available on your VM:
The yceperl binary, YCE binary, your yce_license and a NetYCE database if applicable.
Install the following packages from the default repository using yum, we will install other packages from non standard repo's in this guide:
SDL apr apr-util at atlas autofs autogen-libopts avahi-libs bc bind-libs bind-utils bison blas blktrace boost-date-time boost-program-options boost-system boost-thread bridge-utils byacc bzip2 centos-indexhtml cmake crda crypto-utils cryptsetup cscope ctags cyrus-sasl-plain desktop-file-utils diffstat dmraid dmraid-events doxygen dstat dwz dyninst ed efivar-libs elfutils emacs-filesystem epel-release flex fontconfig fontpackages-filesystem fribidi ftp galera gdbm-devel gettext-common-devel gettext-devel gnutls gpg-pubkey gpm-libs graphite2 gsm gssproxy harfbuzz hdparm hesiod hicolor-icon-theme httpd httpd-manual httpd-tools indent iotop ius-release jbigkit-libs kernel keyutils keyutils-libs-devel krb5-devel lapack ldns libarchive libbasicobjects libcollection libcom_err-devel libdwarf libevent libfprint libgfortran libini_config libjpeg-turbo libkadm5 libmodman libnfsidmap libnl libogg libpath_utils libpcap libproxy libquadmath libref_array libselinux-devel libsepol-devel libsndfile libtar libtheora libtirpc libusbx libverto-devel libverto-libevent libvorbis libwayland-server libxml2-python libzip lsof m4 mailcap mailx man-pages man-pages-overrides mdadm mlocate mod_nss mod_ssl mod_wsgi mokutil mpfr mtr neon net-snmp-libs net-snmp-utils nettle nfs-utils nfs4-acl-tools nscd nss-pam-ldapd ntp ntpdate ntsysv numactl numpy openldap-clients openssl-devel oprofile pakchois patch patchutils pciutils pcre-devel perf php php-cli php-common pixman psmisc pygobject2 pyparsing python-augeas python-backports python-backports-ssl_match_hostname python-chardet python-ipaddress python-kitchen python-nose python-setuptools python-six python2-futures quota quota-nls rcs redhat-rpm-config rpcbind rpm-sign rsync satyr sg3_utils-libs sgpio sos swig systemd-python tcp_wrappers tcsh telnet tftp theora-tools time tmpwatch traceroute trousers unbound-libs unzip usermode vim-common vim-enhanced vim-filesystem vsftpd wget xdg-utils xmlrpc-c xmlrpc-c-client xz-lzma-compat yum-utils zip zlib-devel
NetYCE uses the external binary 'fping' (fast-ping) for icmp reachable tests. Where the earlier NetYCE installations required this external tool to be installed from a downloadable 'rpm', the current release installs the binary from the distribution.
This new NetYCE distributed fping variant includes support for IPv6 that the rpm packages lack. It is installed using a patch that is automatically executed when running NetYCE version 7.1.1, but must be installed manually for later versions:
-- as 'yce' user: go patches perl 19100302 -F
If installed correctly, the new fping version is 4.2, the older is version 3.x:
-- as 'yce' fping -v fping: Version 4.2 fping: comments to [email protected]
Alternatively the rpm fping version (lacking IPv6 support) can be installed using:
-- as root: yum -y install https://centos7.iuscommunity.org/ius-release.rpm yum -y install fping
echo "[mysecureshell] name=MySecureShell baseurl=http://mysecureshell.free.fr/repository/index.php/centos/6.4/ enabled=1 gpgcheck=0" > /etc/yum.repos.d/mysecureshell.repo
yum -y install mysecureshell
cat > /etc/yum.repos.d/MariaDB_10_3.repo << EOF # MariaDB 10.3 CentOS repository list - created 2019-06-20 15:41 UTC # http://downloads.mariadb.org/mariadb/repositories/ [mariadb] name = MariaDB baseurl = http://yum.mariadb.org/10.3/centos7-amd64 gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB gpgcheck=1 EOF
yum -y install MariaDB-server MariaDB-client
cat > /etc/snmp/snmpd.conf << EOF # Map 'readsys' community to the 'ConfigUser' # Map 'readall' community to the 'AllUser' # sec.name source community com2sec ConfigUser default readsys com2sec AllUser default readall # Map 'ConfigUser' to 'ConfigGroup' for SNMP Version 2c # Map 'AllUser' to 'AllGroup' for SNMP Version 2c # sec.model sec.name group ConfigGroup v2c ConfigUser group AllGroup v2c AllUser # Define 'SystemView', which includes everything under .1.3.6.1.2.1.1 (or .1.3.6.1.2.1.25.1) # Define 'AllView', which includes everything under .1 # incl/excl subtree view SystemView included .1.3.6.1.2.1.1 view SystemView included .1.3.6.1.2.1.25.1.1 view AllView included .1 # Give 'ConfigGroup' read access to objects in the view 'SystemView' # Give 'AllGroup' read access to objects in the view 'AllView' # context model level prefix read write notify access ConfigGroup "" any noauth exact SystemView none none access AllGroup "" any noauth exact AllView none none EOF
To start snmpd: systemctl start snmpd
. ('stop' to turn off)
To enable snmpd at boot: systemctl enable snmpd
. ('disable' to disable).
# create the group with gid 8000
groupadd -g 8000 nms
# create a user with group nms with a home directory and no group yce
useradd -g nms -m -u 8000 -s /bin/bash yce
# set the password for user yce
passwd yce
# .bash_profile for yce user:
# .bash_profile # # NetYCE, 2018 # "export LC_ALL=C" if [ -r "/opt/yce/system/go" ]; then export RDEV="devel6" source "/opt/yce/system/go" else echo "Skipping 'go'" fi export PATH="$PATH:/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin:/usr/local/bin:/opt/yce/bin:/opt/yce/system:." export LD_LIBRARY_PATH="/lib:/usr/lib:/usr/local/lib" export LC_CTYPE="en_US.UTF-8" export LC_ALL=C export EDITOR=vi if [ "${TERM}x" = "x" ]; then export TERM=ansi stty erase ^? fi if [ "$TERM" = "ansi" ]; then stty erase ^H fi set -o emacs umask 0002 export PS1='\e[32m\[email protected]\h\e[0m \w\n\$ ' if [ -f /etc/DIR_COLORS ]; then # eval `dircolors -b /etc/DIR_COLORS | sed 's/di=01;93/di=01;34/'` alias ls='ls -N --color=tty -T 0 ' fi # Get the aliases and functions if [ -f ~/.bashrc ]; then . ~/.bashrc fi alias perl='/opt/ycelib/perl/bin/perl' alias perldoc='/opt/ycelib/perl/bin/perldoc' alias srch='/opt/yce/system/tools/srch.pl' alias l='ls -lF' alias ll='ls -laF' alias lc='ls -CaF' alias lr='ls -latrF' alias o='less' alias grep='grep --color=auto' alias gerp='grep' alias cp='cp -i'
# .bashrc for yce
cat >> /home/yce/.bashrc << EOF # User specific aliases and functions if [ -f ~/.bash_aliases ]; then . ~/.bash_aliases fi EOF
# .vimrc for yce
cat > /home/yce/.vimrc << EOF set ts=4 set sw=4 set ai set noerrorbells set formatoptions-=r EOF
# .bash_profile # # NetYCE, 2018 # if [ -r "/opt/yce/system/go" ]; then export RDEV="devel6" source "/opt/yce/system/go" else echo "Skipping 'go'" fi export PATH="$PATH:/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin:/usr/local/bin:/opt/yce/bin:/opt/yce/system:." export LD_LIBRARY_PATH="/lib:/usr/lib:/usr/local/lib" export LC_CTYPE="en_US.UTF-8" export LC_ALL=C export EDITOR=vi if [ "${TERM}x" = "x" ]; then export TERM=ansi stty erase ^? fi if [ "$TERM" = "ansi" ]; then stty erase ^H fi set -o emacs umask 0002 export PS1='\e[32m\[email protected]\h\e[0m \w\n\$ ' if [ -f /etc/DIR_COLORS ]; then # eval `dircolors -b /etc/DIR_COLORS | sed 's/di=01;93/di=01;34/'` alias ls='ls -N --color=tty -T 0 ' fi # Get the aliases and functions if [ -f ~/.bashrc ]; then . ~/.bashrc fi alias perl='/opt/ycelib/perl/bin/perl' alias perldoc='/opt/ycelib/perl/bin/perldoc' alias srch='/opt/yce/system/tools/srch.pl' alias l='ls -lF' alias ll='ls -laF' alias lc='ls -CaF' alias lr='ls -latrF' alias o='less' alias grep='grep --color=auto' alias gerp='grep' alias cp='cp -i' echo " " if [ -x "/opt/yce/system/net_setup.pl" ]; then /opt/yce/system/net_setup.pl else echo "ERROR: cannot start net_setup.pl" fi echo " " echo " You can setup the networking by logging in " echo " as 'root' or using" echo " /opt/yce/system/net_setup.pl" echo " " echo " YCE setup can be restarted as 'yce' user using" echo " /opt/yce/system/yce_setup.pl" echo " "
# .bashrc
cat >> ~/.bashrc << EOF # User specific aliases and functions if [ -f ~/.bash_aliases ]; then . ~/.bash_aliases fi EOF
# .vimrc for root
cat > ~/.vimrc << EOF set ts=4 set sw=4 set ai set noerrorbells set formatoptions-=r EOF
A couple of 'services' will be installed for NetYCE:
- yce_psmon
- httpd
- mysql
- vsftpd
Of these, yce_psmon and httpd require 'root' permissions to start.
Since all application maintenance will (or should) be executed using the functional user 'yce', sudo should be setup to permit this.
The default setup expects /sbin/service
to be available for the 'yce' user. Execution should not require a password.
Add the following using visudo, remove any mention of sudoers.d (if present) at the end of the file:
# Yce Cmnd_Alias YCE = /opt/yce/system/init/yce_tftpd # Installation and management of software Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum, /usr/bin/updatedb, /bin/ping # Processes Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall, /usr/bin/pkill # Networking Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool, /usr/sbin/ip, /usr/sbin/dhclient, /usr/sbin/iptables, /usr/sbin/ifstat, /sbin/iwconfig, /usr/sbin/ethtool # Storage Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount ## Delegating permissions Cmnd_Alias DELEGATING = /bin/chown, /bin/chmod, /bin/chgrp Cmnd_Alias SHELLS = /bin/sh,/bin/bash Cmnd_Alias SU = /bin/su Cmnd_Alias LOGIN = /bin/login Cmnd_Alias REBOOT = /usr/bin/reboot Cmnd_Alias SHUTDOWN = /usr/bin/poweroff, /usr/bin/halt, /sbin/shutdown Defaults !requiretty #==== YCE user group 'nms' # Below are a few examples. # For production the MINIMUM profile might be a good start. # For testing, the MAINTENANCE is regularly used. # MINIMUM # No password required for YCE applications, ALL other applications are allowed with a password. %nms ALL = PASSWD:ALL, NOPASSWD:YCE # MAINTENANCE # No password required for YCE applications and services and processes. NO other applications are allowed to run at all! # %nms ALL=NOPASSWD:YCE, SERVICES, PROCESSES # Same, but all applications are allowed if you know the password. # %nms ALL=NOPASSWD:YCE, SERVICES, PROCESSES, PASSWD:ALL # DEVELOPMENT # %nms ALL=NOPASSWD:SOFTWARE, YCE, SERVICES, PROCESSES, PASSWD:ALL # %nms ALL=NOPASSWD:DELEGATING, NETWORKING, SOFTWARE, YCE, SERVICES, PROCESSES, PASSWD:ALL # %nms ALL=NOPASSWD:ALL
put the following in /root/.bash_aliases:
export PAGER="less" export EDITOR="vim" alias l='ls -CF' alias ll='ls -lhF' alias llt='ls -latrF' alias lr='ls -latrF' alias la='ls -ahF' alias lla='ls -lahF' alias lc='ls -CaF' alias p='ping' alias pst='ps axjf' alias t='telnet' alias n='nslookup' alias o='less' if [ -x /usr/bin/vim ]; then alias vi='vim' fi alias grep='grep --color=auto' alias gerp='grep' alias ip='ip --color' alias ip4='ip -4 --color --brief addr | grep -v UNKNOWN' alias ip6='ip -6 --color --brief addr | grep -v UNKNOWN' # other alias add='/opt/yce/system/patches/vendor_support.pl add' alias perl='/opt/ycelib/perl/bin/perl' alias perldoc='/opt/ycelib/perl/bin/perldoc' alias srch='/opt/yce/system/tools/srch.pl'
# enable the httpd service at startup
sudo systemctl enable httpd
# this creates the following symlink:
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service
# mv ssl, nss, manual out of the way
sudo mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.unwanted sudo mv /etc/httpd/conf.d/nss.conf /etc/httpd/conf.d/nss.conf.unwanted sudo mv /etc/httpd/conf.d/manual.conf /etc/httpd/conf.d/manual.conf.unwanted
# This should actually be done in yce_setup.pl, it is dependent on the choice for SSL/https.
sudo mv /etc/httpd/conf.modules.d/00-ssl.conf /etc/httpd/conf.modules.d/00-ssl.conf.unwanted
# put a '#' in front of every line in welcome.conf. If the file is deleted, it will be put back after an upgrade of apache
sudo sed -i -e 's/^/# /' /etc/httpd/conf.d/welcome.conf
# suexec wasn't active on centos6, so disabled it as well on centos7. Eric, is this required?
sudo sed -i -e '[email protected]^LoadModule suexec_module modules/[email protected]# LoadModule suexec_module modules/[email protected]' /etc/httpd/conf.modules.d/00-base.conf
# copy the perl bin to the new system
sudo mkdir /opt/ycelib sudo chown yce:nms /opt/ycelib sh yceperl_7.0.2.bin # as yce user, no sudo!
it seems like there is no entry for the yce user needed in /etc/cron.allow for the user to be able to create crontab entries
as yce user
sudo mkdir /var/opt/yce cd /var/opt/yce sudo mkdir backup configs download jobs logs output sudo chown -R yce:nms /var/opt/yce/
# use the UID and GID from this user for the following cmd (if you followed this installation guide both values will be 8000)
cat /etc/passwd | grep yce useradd -M -d /var/opt/shared -s /bin/bash -o -u 8000 -g 8000 ycicle passwd ycicle
prevent expiry
/usr/bin/passwd -n 0 -x 99999 -i -1 ycicle
make sure the shell of ycicle user is set to /bin/MySecureShell
replace the contents of /etc/vsftpd/vsftpd.conf with the following:
# NetYCE 2019 anonymous_enable=NO local_enable=YES write_enable=YES local_umask=002 dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_file=/var/opt/yce/logs/ftpxfer.log vsftpd_log_file=/var/opt/yce/logs/ftplog.log xferlog_std_format=YES chroot_list_enable=YES listen=NO listen_ipv6=YES pam_service_name=vsftpd userlist_enable=YES tcp_wrappers=YES local_root=/var/opt/shared secure_chroot_dir=/var/opt/shared chown_username=yce.nms guest_enable=NO force_dot_files=NO hide_file={.yce_prop} delete_failed_uploads=YES log_ftp_protocol=NO
and the following in /etc/vsftpd/chroot_list:
ycicle
put the following in /etc/ssh/sshd_config:
# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # Disable legacy (protocol version 1) support in the server for new # installations. In future the default will change to require explicit # activation of protocol 1 Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys #AuthorizedKeysCommand none #AuthorizedKeysCommandRunAs nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no PasswordAuthentication yes # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #KerberosUseKuserok yes # GSSAPI options #GSSAPIAuthentication no GSSAPIAuthentication yes #GSSAPICleanupCredentials yes GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM no UsePAM yes # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #ShowPatchLevel no #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none # no default banner path #Banner none UseDNS no # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server # Subsystem sftp internal-sftp Match User ycicle # ChrootDirectory /var/opt/shared # ForceCommand internal-sftp # ForceCommand /opt/yce/bin/cpsh.pl AllowTCPForwarding no X11Forwarding no # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server
Create the following in /etc/ssh/sftp_config
The limited download speeds (100mbps global and 10mbps per session) are intended as guidelines to prevent multiple
OS-file transfers to consume too much bandwidth. These values can be adjusted to suit server and network capabilities.
## MySecureShell Configuration File ## # NetYCE 2019 # Default rules for everybody <Default> GlobalDownload 100m #total speed download for all clients # o -> bytes k -> kilo bytes m -> mega bytes GlobalUpload 0 #total speed upload for all clients (0 for unlimited) Download 10m #limit speed download for each connection Upload 0 #unlimited speed upload for each connection StayAtHome true #limit client to his home VirtualChroot true #fake a chroot to the home account LimitConnection 50 #max connection for the server sftp LimitConnectionByUser 50 #max connection for the account LimitConnectionByIP 50 #max connection by ip for the account Home /var/opt/shared/ Shell /opt/yce/bin/cpsh.pl IdleTimeOut 30m # disconnect idle client after 30 min ResolveIP false #resolve ip to dns IgnoreHidden true #treat all hidden files as if they don't exist DirFakeUser true #Hide real file/directory owner (just change displayed permissions) DirFakeGroup true #Hide real file/directory group (just change displayed permissions) DirFakeMode 0400 #Hide real file/directory rights (just change displayed permissions) #Add execution right for directory if read right is set HideNoAccess true #Hide file/directory which user has no access # MaxOpenFilesForUser 20 #limit user to open x files on same time # MaxWriteFilesForUser 10 #limit user to x upload on same time # MaxReadFilesForUser 10 #limit user to x download on same time DefaultRights 0640 0750 #Set default rights for new file and new directory # MinimumRights 0400 0700 #Set minimum rights for files and dirs ShowLinksAsLinks false #show links as their destinations ConnectionMaxLife 2h #limits connection lifetime to 2 hours # Charset "ISO-8859-15" #set charset of computer </Default> <User ycicle> Shell /opt/yce/bin/cpsh.pl Home /var/opt/shared/ VirtualChroot true ResolveIP false IgnoreHidden true ShowLinksAsLinks false </User> #Include /etc/my_sftp_config_file #include this valid configuration file
before we start this, run the yce binary and just enter through everything so that all directories will get created and files will be put in place, as root (filename may differ ofcourse):
sh yce_7.1.1_20190522.bin
At the moment net_setup.pl only supports centos6, therefore we need to create the network config files manually: revise the information below to suit your situation.
IP=192.168.56.101 HOSTNAME=rhel7 DOMAIN=netyce.org IFNY=enp0s8 IFNAT=enp0s3 HWADDRNY=08:00:27:DF:B5:07 DNS1=8.8.8.8 DNS2=8.8.4.4
cat > /opt/yce/etc/net_setup.xml << EOF <setup> <local name="accounts" root_password="initialized at 2015-04-01 09:00:30" yce_password="initialized at 2015-04-01 09:00:37" /> <local name="host" application_if="$IFNY" domainname="${DOMAIN}" fqdn="${HOSTNAME}.${DOMAIN}" hostname="${HOSTNAME}" networking="yes" ntpaddress="149.210.205.44" /> <local name="net"> <$IFNAT bootproto="dhcp" device="$IFNAT" dhcphostname="${HOSTNAME}.${DOMAIN}" gatewaydev="$IFNAT" ipv4address="10.0.3.15" ipv4gateway="10.0.3.2" ipv4netmask="255.255.255.0" ipv4network="10.0.3.0" ipv4prefix="24" macaddress="08:00:27:e4:c0:79" name="$IFNAT" nmcontrolled="yes" onboot="yes" peerdns="yes" primarydns="$DNS1" secondarydns="$DNS2" type="Ethernet" /> <$IFNY bootproto="static" device="$IFNY" dhcphostname="" gatewaydev="$IFNAT" ipv4address="$IP" ipv4gateway="automatic" ipv4netmask="255.255.255.0" ipv4network="192.168.56.0" ipv4prefix="24" macaddress="$HWADDRNY" name="$IFNY" nmcontrolled="yes" onboot="yes" peerdns="yes" primarydns="$DNS1" secondarydns="$DNS2" type="Ethernet" /> </local> </setup> EOF
# YCE setup
cat > /opt/yce/etc/yce_setup.xml << EOF <setup> <override> <configs crontab="update" httpd="update" mojo="update" network="keep" /> <daemons yce_ibd="disable" yce_nccmd="enable" /> </override> <yce name="$HOSTNAME"> <database database_id="1" type="mysql" /> <host domainname="$DOMAIN" fqdn="${HOSTNAME}.${DOMAIN}" hostname="$HOSTNAME" /> <httpd mode="root" proto="http" type="apache" urlbase="name" /> <login domainname="$DOMAIN" expire="10" /> <mojo port="8080" server="mojo" /> <morbo port="3000" /> <net ipv4="$IP" /> <roles database="yes" frontend="yes" /> <wiki domain="netyce.com" ip="" local="no" name="wiki" proto="http" /> <yce_db primary_db="$HOSTNAME" secondary_db="" /> </yce> </setup> EOF
make sure the ownership of yce_setup.xml and net_setup.xml is yce:nms
cat > /opt/yce/etc/tool_setup.xml << EOF <!-- === Scheduler and job tool configuration file === See the NetYCE wiki article for a detailed description: http://wiki.netyce.com/doku.php/operate:jobs:job_configuration Currently supported job_type names: command_job basic_cmd_job startup_cfg reload_node connect_dce RXvlan_job port_config - does not use scheduler: no approvals apply os_upgrades Job types not listed above currently will use the <default> job definitions. Support will be incorporated in ongoing releases. Job-types not configured explicitly below will also use the <default> job definitions. All variables not configured explicitly in their <job_type> definitions will be lifted from the <default> definition. --> <tool_setup> <queues> <queue name="evpn" done_age="180" cancel_age="1800" job_int="20" max_run="50" max_wait="3600" /> <queue name="ios" done_age="180" cancel_age="1800" job_int="5" max_run="20" max_wait="3600" /> <queue name="yce" done_age="180" cancel_age="1800" job_int="2" max_run="50" max_wait="3600" /> </queues> <defaults job_type="default" queue="yce"> <auditors levels="3456" /> <notify pending="yes" cancel="yes" suspend="yes" /> <approvals name="1" levels="" threshold="0" limit="0" /> <approvals name="2" levels="" threshold="0" limit="0" /> <approvals name="3" levels="" threshold="0" limit="0" /> <approvals name="4" levels="" threshold="0" limit="0" /> <approvals name="5" levels="" threshold="0" limit="0" /> <approvals name="6" levels="" threshold="0" limit="0" /> <change_id option="1" hint="C000xxxxxx"> <validation>^C000(\d){6}$</validation> <validation>^O000(\d){6}$</validation> <validation>^O000(\d){6}\-(\d){3}$</validation> </change_id> </defaults> <command_job job_type="command_job" queue="yce"> <auditors levels="3456" /> <notify pending="yes" cancel="yes" suspend="yes" /> <approvals name="2" levels="" threshold="0" limit="0" /> <approvals name="3" levels="" threshold="0" limit="0" /> <approvals name="4" levels="" threshold="0" limit="0" /> <approvals name="5" levels="" threshold="0" limit="0" /> <approvals name="6" levels="" threshold="0" limit="0" /> <change_id option="1" hint="C000xxxxxx"> <validation>^C000(\d){6}$</validation> <validation>^O000(\d){6}$</validation> <validation>^O000(\d){6}\-(\d){3}$</validation> <validation>^T000(\d){6}$</validation> </change_id> </command_job> <startup_config job_type="startup_config"> <change_id hint="T000xxxxxx"> <validation>^T000(\d){6}$</validation> </change_id> </startup_config> <RXvlan_job job_type="RXvlan_job" queue="evpn"> </RXvlan_job> <os_upgrades job_type="os_upgrades" queue="ios"> </os_upgrades> </tool_setup> EOF
make sure /var/opt/shared is owned by root:root and has 755 rights
/var/opt/shared/public has to be owned by yce:nms and also have 755 rights
run the binary again, this time we should be able to generate config files:
sh yce_7.1.1_20190522.bin
# httpd
cp /opt/yce/etc/rhel7_httpd.conf /etc/httpd/conf.d/yce.conf mkdir /etc/systemd/system/httpd.service.d cp /usr/lib/systemd/system/httpd.service /etc/systemd/system cp /opt/yce/system/init/httpd.service.d-yce.conf /etc/systemd/system/httpd.service.d/yce.conf systemctl daemon-reload systemctl restart httpd
# MariaDB
cp /opt/yce/etc/rhel7_mysql.conf /etc/my.cnf cp /usr/lib/systemd/system/mariadb.service /etc/systemd/system/ mkdir /etc/systemd/system/mariadb.service.d cp /opt/yce/system/init/mariadb.service.d-yce.conf /etc/systemd/system/mariadb.service.d/yce.conf systemctl daemon-reload
[email protected] /etc/systemd/system # cp /opt/yce/system/init/yce_psmon.service . systemctl daemon-reload systemctl stop yce_psmon
sh yce_7.1.1_20190522.bin
Backup and Extraction will use /usr/bin/openssl and /usr/bin/gtar Will extract to '/var/tmp/yce_install/YCE_7.1.1_20190522' Skipping rollback archive: file exists 'YCEsrc_rhel7_20190806.des3' Starting YCE installation verifications Located YCE perl. Good Installing YCE with 'root' privileges Verifications complete Found installation YCE manifest file '/var/tmp/yce_install/YCE_7.1.1_20190522/YCE_7.1.1_20190522.xml'. Good Reading manifest '/var/tmp/yce_install/YCE_7.1.1_20190522/YCE_7.1.1_20190522.xml' Parsing manifest parameters Looking for existing YCE configuration Loading existing YCE configuration Will perform installation update in '/opt/yce' Continue to do an UPDATE install? [Y] Y Located YCE license file '/opt/yce/etc/yce_license' Location of 'yce_license'? [/opt/yce/etc/yce_license] Will use YCE license file '/opt/yce/etc/yce_license'. Good License registered to 'netYCE' OK: License will not expire until '20191231' /var/tmp/yce_install/YCE_7.1.1_20190522/YCE_7.1.1_20190522.xml version = 7.1.1 License version '7' matches distribution version '7.1.1'. Good You have licences for: IOS NCCM Infoblox Netcool YCE Found YCE distribution archive '/var/tmp/yce_install/YCE_7.1.1_20190522/YCEsrc_7.1.1_20190522.des3'. Good Scanning build information of previous installed manifests WARNING: Missing manifest file of previous installation Must perform an initial install using interactive shell Cannot continue using automatic updates - must perform first install Error found. Continue? y Starting package installations yce_core (1) nccm (2) c3_connect (3) dce_connect (5) netcool_reporter (6) netcool_services (9) infoblox_dhcp (11) os_upgrades (13) rn3_evpn_failover (14) netcool_mes (15) infoblox_dns (16) rn3_central (19) rn3_sla (20) Removing unlicensed package 'compliancy', requiring license 'Compliancy' File installation complete Do you want to create config files at this time? [Y] Starting configuration creation -- ---------------------------------------- -- Starting 'yce_setup' interactive -- operating system: CentOS (7.6.1810) -- read network setup: '/opt/yce/etc/net_setup.xml' -- read yce setup: '/opt/yce/etc/yce_setup.xml' WARNING: No NetYCE database can be reached YCE servers currently in setup: # Hostname IP-address FQDN * 0) rhel7 192.168.56.103 rhel7.netyce.org Select the server# to Remove, or 'A' to add, 'C' to continue: [C] YCE server roles: # Hostname Front-end SSL HTTPD URL Mojo Database Id * 0) rhel7 yes http root name 8080 yes 1 Select the server# to change, 'C' to continue: [0] C YCE server database mapping: # Hostname Db-Id Primary Secondary * 0) rhel7 1 rhel7 Select the server# to change, 'C' to continue: [0] C Login setup: Domain name for login (single-sign-on cookie)? [netyce.org] Hours until Login session expiry (single-sign-on cookie)? [10] Login setup: Single-sign-on domain Expire (hrs) netyce.org 10 Wiki setup: 'rhel7' will use the NetYCE public Wiki server? [Y] -- New setup # # YCE Server overview: # Name Domain IP-address Database Front-end Primary-db Secondary-db # ---- ------ ---------- -------- --------- ---------- ------------ # rhel7 netyce.org 192.168.56.103 id=1 yes rhel7 # -- Saved setup in '/opt/yce/etc/yce_setup.xml' Create the YCE, httpd, and mysql configuration files for the this system * 0) 'rhel7' Create configuration for local server (y/n) ? [Y] -- Create configs for server 'rhel7' -- Yce: /opt/yce/etc/rhel7_yce.conf WARNING vsftpd_conf: 'vsftpd_conf': psmon not running WARNING sftp_conf: 'sftp_conf': psmon not running WARNING vsftpd_chroot: 'vsftpd_chroot': psmon not running WARNING sshd_conf: 'sshd_conf': psmon not running cannot support 'sftp' cannot support 'scp' cannot support 'ftp' can support 'tftp' -- Mojo: /opt/yce/htdocs/angular/app/host.js -- mojo url set to 'http://rhel7.netyce.org:8080/' -- wiki url set to 'http://wiki.netyce.com/' -- cacheswap 'rhel7' now at '201908060618' -- Yce_psmon: /opt/yce/etc/rhel7_psmon.conf ERROR: No sudo permissions available ERROR: No sudo permissions available ERROR: No sudo permissions available ERROR: No sudo permissions available -- Crontab: /opt/yce/etc/rhel7_crontab.conf -- Httpd: /opt/yce/etc/rhel7_httpd.conf -- Mysql: /opt/yce/etc/rhel7_mysql.conf -- mysql version is '10.3.17' -- mysql key_buffer set to '202M' -- mysql tmpdir set to '/var/tmp' -- Updating 'rhel7' menu-tree (C) -- Creating menus for the role(s): "frontend","database" -- Renewed the menu tree using the default -- Updating 'rhel7' encryption keys -- Updating scenario syntax highlighting file -- Renewing NMS table permissions -- Updating 'rhel7' my.cnf WARNING: psmon copy failed (not running) -- Daemons to restart: yce_psmon mysqld yce_tftpd yce_skulker yce_sched yce_nccmd yce_ibd morbo mojo -- Relaunching NetYCE daemons... -- yce_psmon: start: yce_psmon start wait start 'yce_psmon': -- mysqld: start: mysql start wait start 'mysqld': -- yce_tftpd: 3165 stop: /bin/sudo /opt/yce/system/init/yce_tftpd stop wait stop 'yce_tftpd': start: /bin/sudo /opt/yce/system/init/yce_tftpd start wait start 'yce_tftpd': 3668 -- yce_skulker: 3185 stop: /opt/yce/system/init/yce_skulker stop wait stop 'yce_skulker': 3185 wait stop 'yce_skulker': start: /opt/yce/system/init/yce_skulker start wait start 'yce_skulker': 3691 -- yce_sched: 3207 stop: /opt/yce/system/init/yce_sched stop wait stop 'yce_sched': start: /opt/yce/system/init/yce_sched start wait start 'yce_sched': 3713 -- yce_nccmd: start: /opt/yce/system/init/yce_nccmd start wait start 'yce_nccmd': 3725 -- yce_ibd: # disabled -- morbo: # disabled -- mojo: 3305 3306 3307 3308 3309 3310 3311 stop: /opt/yce/system/init/yce_mojo stop wait stop 'mojo': start: /opt/yce/system/init/yce_mojo start wait start 'mojo': 3798 3799 3800 3801 3802 3803 3804 -- done Relaunching XCH API... Stopping daemon 'yce_xch': 3347 Starting daemon 'yce_xch' -- Completed SKIPPING PATCH INSTALL The patches MUST be installed when the YCE database is operational Patches must be installed using: '/opt/yce/system/patches/patch_install.pl' Installation completed Exiting installation. Cleanup Cleanup YCEsrc_7.1.1_20190522 Completed - 1 Errors detected
put database in place, I assume you made a .tgz of the /var/opt/mysql dir of a running NetYCE you want to migrate.
systemctl disable mariadb sytemctl stop mariadb
check if there is a .conf file is present in the following dir /etc/systemd/system/mariadb.service.d/ ifso delete it:
rm migrated-from-my.cnf-settings.conf
Make sure /var/opt/mysql/ is empty before copying your database into it, in my case I extracted a database in /home/yce/var/opt/mysql/:
rm -rf /var/opt/mysql/* cp -a /home/yce/var/opt/mysql/* /var/opt/mysql/ sudo systemctl enable mariadb sudo systemctl start mariadb
If you see a message like “Warning: mariadb.service changed on disk. Run 'systemctl daemon-reload' to reload units.” check with
ps -axuf | grep mysql
if it's really running or not, because as I am writing this this seems to be a false message and the daemon is actually running.
after database is running, as yce user:
go patches ./patch_install.pl
you might encounter the following:
[18112302] ERROR: Failed to create Ipv6_map_view Ipv6_map_view: "sql exec err: Column count of mysql.proc is wrong. Expected 21, found 20. Created with MariaDB 100215, now running 100316. Please use mysql_upgrade to fix this error" [18112302] Adding Mgmt_addr column to Ipv6_map table failed ERROR: Patch '18112302' failed [19022703] ERROR: Failed to create Ipv6_map_view Ipv6_map_view: "sql exec err: Column count of mysql.proc is wrong. Expected 21, found 20. Created with MariaDB 100215, now running 100316. Please use mysql_upgrade to fix this error" [19022703] renewing Ipv6_map_view view failed ERROR: Patch '19022703' failed [19022707] ERROR: Cannot create view 'Ipv6_subnet_view': "sql exec err: Column count of mysql.proc is wrong. Expected 21, found 20. Created with MariaDB 100215, now running 100316. Please use mysql_upgrade to fix this error" [19022707] Updating Ipv6 subnet view failed ERROR: Patch '19022707' failed
fix this by doing the following:
$ mysql_upgrade -u netYCE -p Enter password: Phase 1/7: Checking and upgrading mysql database Processing databases (I will skip all output that says OK, because there's a lot of that) Phase 2/7: Installing used storage engines... Skipped Phase 3/7: Fixing views YCE.Ipv6_prefix_view Error : Column count of mysql.proc is wrong. Expected 21, found 20. Created with MariaDB 100215, now running 100316. Please use mysql_upgrade to fix this error error : Corrupt
run
yce_setup.pl -r
to regenerate the configuration
somehow vsftpd doesnt get started at this moment, so for the time being:
sudo systemctl enable vsftpd sudo systemctl start vsftpd